The Digital Operational Resilience Act (DORA), officially Regulation (EU) 2022/2554 is a European Union regulation. It requires financial entities to improve their digital operational resilience.
Aim
DORA aims to improve the digital operational resilience of financial entities in the EU and their ICT suppliers and create a uniform regulatory framework across the EU, in order to reduce the susceptibility to cyber threats across the entire value chain of the financial sector. In addition, DORA intends to harmonize national regulations regarding the security of IT systems in the financial sector, thus strengthening the European financial market as a whole against cyber risks and information and communications technology incidents.
Scope
The regulation applies to financial entities and third-party suppliers of ICT services. Article 2 defines financial entities as:
- credit institutions
- payment institutions
- account information service providers
- electronic money institutions
- investment firms
- crypto-asset service providers and issuers of asset-referenced tokens
- central securities depositories
- central counterparties
- trading venues
- trade repositories
- managers of alternative investment funds
- management companies
- data reporting service providers
- insurance and reinsurance undertakings
- insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries
- institutions for occupational retirement provision
- credit rating agencies
- administrators of critical benchmarks
- crowdfunding service providers
- securitisation repositories
The regulation explicitly does not apply to:
- managers of alternative investment funds as referred to in Article 3(2) of Directive 2011/61/EU
- insurance and reinsurance undertakings as referred to in Article 4 of Directive 2009/138/EC
- institutions for occupational retirement provision which operate pension schemes which together do not have more than 15 members in total
- natural or legal persons exempted pursuant to Articles 2 and 3 of Directive 2014/65/EU
- insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries which are microenterprises or small or medium-sized enterprises
- post office giro institutions as referred to in Article 2(5), point (3), of Directive 2013/36/EU
Proportionality principle
Article 4 defines the proportionality principle, resulting in some exceptions for smaller enterprises which fall within the scope of the regulation despite their size. This allows for a simplified implementation of certain requirements in accordance with the overall risk profile of the enterprise. An example for this is the simplified ICT risk management framework according to Article 16 in combination with a regulatory technical standard (RTS).
Structure
The regulation comprises 64 articles divided into 9 chapters:
- General provisions (Art. 1–4)
- ICT risk management (Art. 5–16)
- ICT-related incident management, classification and reporting (Art. 17–23)
- Digital operational resilience testing (Art. 24–27)
- Managing of ICT third-party risk (Art. 28–44)
- Information-sharing arrangements (Art. 45)
- Competent authorities (Art. 46–56)
- Delegated acts (Art. 57)
- Transitional and final provisions (Art. 58–64)
In addition, the European Supervisory Authorities develop regulatory and implementing technical standards (RTS and ITS), which, being published in the Official Journal of the European Union, also become legally binding:
Type | Subject | DORA reference | Implemented | Status |
---|---|---|---|---|
RTS | ICT risk management framework | Art. 15 | Commission Delegated Regulation (EU) 2024/1774 | In force |
RTS | Simplified ICT risk management framework | Art. 16 (3) | Commission Delegated Regulation (EU) 2024/1774 | In force |
RTS | Classification of ICT-related incidents and cyber threats | Art. 18 (3) | Commission Delegated Regulation (EU) 2024/1772 | In force |
RTS | Content of the reports for major ICT-related incidents | Art. 20 (a) | Adopted October 23, 2024; pending publication in Official Journal | |
ITS | Standard forms, templates and procedures for financial entities to report a major ICT-related incident | Art. 20 (b) | Final draft published July 17, 2024 | |
RTS | Threat-led penetration testing | Art. 26 (11) | Final draft published July 17, 2024 | |
ITS | Standard templates for the purposes of the register of information | Art. 28 (9) | Draft rejected by the Commission on September 3, 2024 | |
RTS | Policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (third-party policy) | Art. 28 (10) | Commission Delegated Regulation (EU) 2024/1773 | In force |
RTS | Specification of elements when subcontracting ICT services supporting critical or important functions | Art. 30 (5) | Final draft published July 26, 2024 | |
Guidelines | Cooperation between the ESAs and the competent authorities regarding the structure of the oversight framework | Art. 32 (7) | Published November 6, 2024 | |
RTS | Harmonisation of conditions enabling the conduct of the oversight activities | Art. 41 | Adopted October 24, 2024; pending publication in Official Journal |
Impact
DORA will have an impact on pension schemes. Pension schemes having more than 15 but fewer than 100 members will be subject to a simplified ICT risk management framework.
References
- Pattison, Andrew. A Guide to the EU Digital Operational Resilience Act. Walter de Gruyter. ISBN 9781787784536.
- Rodenburg-Luitse, Willemijn (2023-01-25). "EU neemt met Dora baanbrekende it-wetgeving aan". Computable.nl (in Dutch). Retrieved 2024-05-21.
- "Exploring DORA's Impact on Pension Schemes". Mason Hayes Curran. Retrieved 12 December 2024.